If users are authenticated in the ObjectServer, you can
control the user authentication mechanism by setting ObjectServer
properties. You can change the encryption algorithm for passwords,
or restrict the passwords to a specific format, or both.
Procedure
- To change the encryption algorithm for the passwords, set the
PasswordEncryption property to the required value.
This property
defines the encryption scheme that is used to encrypt user passwords
that are stored in the ObjectServer. Possible values are as follows:
- DES: Data Encryption
Standard encryption. Only the first eight characters of a DES-encrypted
password are read. Additional characters are ignored.
- AES: Advanced Encryption Standard (AES128)
encryption. Only the first 16 characters of an AES128-encrypted password are read. Additional
characters are ignored. In FIPS 140–2 mode, the AES option is mandated by the
system. In Fix Pack 24, the AES scheme is enhanced to support longer
passwords, up to a maximum of 64 characters, due to storage limitations. For users that do not have
OMNIbus client libraries and due to password size limitations with the JDBC jConnect library, any
user with a password greater than 30 characters cannot exchange the full password with the
ObjectServer and cannot log in to the server. To successfully log in, these user passwords must be
no greater than 30 characters.
For non FIPS 140-2 installations,
the default is DES. For FIPS 140-2 mode, the default
is AES.
- To restrict the format of the passwords, set the RestrictPasswords
property to TRUE.
The following password restriction parameters are available in Fix Pack 25. In
an upgraded system these parameters might not be present in the properties file. The new parameters
are not automatically added into existing properties files.
- PasswordInHistory stores a password history of the last specified number of
passwords for each user. Specify a value greater than 0. The default value is 0 (disabled). When a
user attempts to change their password, the new password is checked against the stored passwords for
that user. If the new password is found in the password history, the new password is rejected and
the user must select a new password.
- PasswordMinAge prevents users from changing their password before a certain
number of days. Specify a value greater than 1. The default value is 0 (disabled).
- PasswordMaxAge Specify a value greater than 0. The default value is 0
(disabled). When a user logs into the system their password age is checked. If the password has
exceeded the maximum permitted age, the login attempt is rejected. Only the root user is exempt from
this restriction. If the PasswordMaxAge parameter is configured, the
alert_user_to_old_passwords trigger, or a similar custom version, should be
enabled. For more information, see Standard Tivoli Netcool/OMNIbus automations.
- To specify the format to which the passwords are restricted, set the
PasswordFormat property to the required value.
The property defines the format of user
passwords. It works only when the RestrictPasswords property is set to
TRUE.
Specify the value of this property as
a colon-separated set of integer values. Each value defines a password requirement. The format
is:min_len:alpha_num:digit_num:punct_num:contains
username where:
- min_len is the password length.
- alpha_num is the minimum number of alphabetic characters.
- digit_num is the minimum number of numeric characters.
- punct_num is the minimum number of punctuation characters.
- contains username controls whether a
password can contain the user name or not, where 0 means the user name is not permitted, while 1
means the user name is permitted in the password. The default setting is 1.
- accept_max_consecutive controls whether a password can
contain a certain number of consecutive user name characters or not, where 0 means the limit is not
applied, while 3 means that three consecutive user name characters are permitted. The default
setting is 0.
The minimum
alphabetic, numeric, and punctuation character requirements must be satisfied within the number of
characters specified by the minimum password length. The default value of
8:1:1:0:1:0 must contain 1 alphabetic character and 1 numeric character in the
first 8 characters of the password string. For
example, if the property is set to 8:1:1:0:1:0 and a user specifies the password
abcdefgh590675, the password is rejected because the first 8 characters contains no numeric
characters.
After this property is set, the ObjectServer
validates all new or changed passwords against this requirement and passwords that do not meet the
requirement are rejected. Existing passwords are not validated. For example, if you change the contains username property to 0 from the
default 1, only passwords of new users added by the CREATE USER command, or passwords of
existing users modified with the ALTER USER command are validated to check for the occurrence of a
user name in the password.
Example
To help you understand the effects of the RestrictPasswords and PasswordFormat properties,
and the PasswordEncryption property, consider
the following example:
- RestrictPasswords is set to TRUE.
- PasswordFormat is set to the default,
8:1:1:0:1:0.
- PasswordEncryption is set to the default, DES.
If a user creates the password 1234abcdxyz, this password is accepted because it meets the
requirement specified by the PasswordFormat property: a minimum of 8
characters, a minimum of 1 alphabetic character and a minimum of 1 numeric character with no limit
to the number of consecutive user name characters. Because DES encryption is set, only the first 8 characters, 1234abcd, are
read. The characters xyz are ignored. Consequently, the same user could log in with the password
1234abcdxxx. Because only the first 8 characters are significant for encryption, and the password
formatting requirements are met, the incorrect password is accepted.